5 Stages in Cyber security By FTC for Law Enforcement Actions
The Federal Trade Commission (FTC) that explains how companies can leverage NIST’s Cybersecurity Platform and FTC’s own “Start with Security” guidelines to greatly improve security in their organization. In this article, we highlight the five key tenants from the framework and how they could have possibly prevented FTC action and penalties.
The framework is composed of a “Framework Core” as defined by the National Institute of Standard and Technology (NIST) as a “set of activities to obtain specific cybersecurity results, and reference examples of guidance how to achieve those outcomes.
The functions can be used to organize and group together information that management can use to execute security safeguards, measure improves and prioritizes security attempts.
The FTC emphasizes that the Cybersecurity Framework is not a “one-size-fits-all” way of managing cyber security risks and it is certainly not a checklist. Rather, the framework can be employed by businesses as best practices and “common language” to consider when building a cybersecurity program.
It is important to note that the Structure is also closely related to the FTC’s work on data security. For instance, the FTC has undertaken substantial efforts within the last decade to promote data security protections such as:
- Civil law enforcement (“Unfair or Deceptive Acts or Practices” as enforcement tool)
- Business and consumer education policies and
- Recommendations to congress to enact new legislation.
1. Identify: “Develop the organization’s understanding to manage cyber security risk to systems, assets, data and capabilities.”
In two individual complaints against HTC America, Inc. and TRENDnet, Incorporation., the FTC alleged that the two companies “did not have a process for receiving, addressing, or monitoring reports about security vulnerabilities. ” The HTC settlement was the FTC’s first against a mobile device manufacturer and pointed out multiple security practice insufficiencies to include inadequate security and privacy training, absence of testing/auditing of the software program on its mobile devices for potential security weaknesses, requirement for secure programming techniques, and gap in process for obtaining and responding to vulnerability reports from third parties.
Similarly, TRENDnet experienced faulty software that kept them “open to online viewing, and some circumstances listening, by anyone with the cameras’ Internet addresses. ” As also pointed out in the Cybersecurity structure, the FTC recommended a comprehensive security program to deal with security risks, patches to deal with vulnerabilities and also need for third party security assessments.
2. Protect: “Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.”
The FTC resolved two similar cases against Accretive Health, Inc. and Cbr Systems, Inc. because of to the manner in which a worker laptop and lightweight storage, respectively, were poorly handled and led to the theft and exposure of personal information. As highlighted in the Framework’s “Protect” guidance, data must be transported safely and use strong security controls (such as laptop whole disk encryption or USB password protected and encrypted USB drives or backup media) to protect the information in the event devices are lost or stolen.
3. Detect: “Develop and implement the appropriate activities to identify the occurrence of cyber security events.”
The FTC supposed that Franklin’s Budget Car Sales, Inc. allowed the installation of Peer-to-Peer (P2P) software on their network, which generated sensitive data being uploaded to P2P network and the bargain of 95, 000 consumer records. These reported insufficiencies didn’t align with the Framework’s “Detect” guidance that includes the need for monitoring networks for probable security events or for unauthorized devices, software or user connectivity.
4) Respond: “Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.”
Just previous year, the FTC resolved a case with Taiwan-based computer hardware maker ASUSTeK Computer, Inc., after ASUS failed to fix a number of critical security flaws in the routers that put thousands of home networks and consumers at risk. The problem also included charges against the ASUS cloud services that generated thousands of cloud-connected storage devices to be compromised and uncovered personal data online.
One of the important factors to the situation, FTC claims, is the failure of ASUS to notify their customers of the chance of unpatched router weaknesses nor did the company address the safety defects in a timely manner.
5) Recover: “Develop and implement the appropriate activities to maintain plans for resilience and to restore capabilities or services that were impaired due to a cybersecurity event.”
In the final example, the FTC settled a case with Oracle and alleged the company experienced deceived consumers about the security update process to its Java Platform, Standard Edition software (Java SE). In short, Oracle failed to notify consumers that the Java SE upgrade only addressed the most recent version of Java, but did not eliminate the earlier versions. As most security practitioners know, cyber criminals can craft malware to exploit previous versions of Java vulnerabilities. Therefore it is important to remove legacy/unused software and ensure all software is updated.
Based on these lessons learned and settlement with the FTC, Oracle since changed the practices by notifying consumers during the Java SE update process if they may have outdated version of the software program on their computer (and the potential risk of not removing older software) and gave consumers an option to uninstall the software program.
Each of these five functional regions of the Cybersecurity framework can help organizations with simple, yet powerful security guidelines. Just a sample of the related FTC law enforcement instances and settlements also helps provide business owners and operators some really good examples of controls needed to reduce a similar incident in your business.